IMF 2015

9th International Conference on
IT Security Incident Management & IT Forensics

May 18th - 20th, 2015
Magdeburg, Germany

Conference of SIG SIDAR
of the German Informatics Society (GI).

Preliminary Conference Program - subject to change

Monday, May 18th, 2015

Time Presentation / Description Speaker/Author/Session Chair
From 10:00 Registration and Welcome Coffee
11:00 - 11:10 Welcome General Chair/Program Co-Chair
Jana Dittmann
Research Group Multimedia and Security, Department of Computer Science, Institute of Technical and Business Information Systems, Otto-von-Guericke-University of Magdeburg

Program Co-Chair
Holger Morgenstern
Dean, Faculty of Computer Science, Albstadt-Sigmaringen University
11:10 - 12:00 Keynote:
Challenges and opportunities in IT Forensics and forensic data science

Zeno Geradts
Netherlands Forensic Institute and University of Amsterdam

12:00 - 13:00 Forensics Session Part 1
Andreas Dewald
Windows NT pagefile.sys Virtual Memory Analysis
Michael Gruhn
Recovery of SQLite Data using expired Indexes
Felix Ramisch, Martin Rieger
13:00 - 14:00 Lunch Break
14:00 - 15:00 Forensics Session Part 2
Andreas Dewald
Improving the detection of encrypted data on storage devices
Simon Thurner
Marcel Grün
Sven Schmitt
Harald Baier
What is Essential in File System Forensic Analysis?
Felix Freiling
Michael Gruhn
15:00 - 15:30 Coffee Break
15:30 - 17:00 Incidents and Forensics
Jens Nedon
Towards automated incident handling: How to select an appropriate response against a network-based attack?
Sven Ossenbühl
Jessica Steinberger
Harald Baier
Mobile Payment Fraud: A practical view on the Technical Architecture and Starting Points for Forensic Analysis of new attack scenarios
Christof Kier
Gerald Madlmayr
Alexander Nawratil
Michael Schafferer
Christian Schanes
Thomas Grechenig
Characteristic Evidence, Counter Evidence and Reconstruction Problems in Forensic Computing
Andreas Dewald
17:00 - 18:00 Incident Response and Pentesting Panel Discussion
Oliver Göbel (RUS-CERT, Universität Stuttgart)
Detlef Günther (Volkswagen AG)
Sebastian Nerz (SySS Gmbh)
Volker Krummel (Wincor Nixdorf)
Oliver Nyderle (T-Systems Multimedia Solutions GmbH)
18:00 - 18:05 Wrap up Day1 amd information for the evening event
Jana Dittmann
18:30 Start social event: Dinner at the Haus des Handwerks, Gareisstraße 10, 39106 Magdeburg

Tuesday, May 19th, 2015

Time Presentation / Description Speaker/Author/Session Chair
09:00 - 10:00 Special Session on Malware Analysis / Malware Forensics
Tobias Hoppe
Stefan Kiltz
Platform-Independent Malware Analysis Framework
Ulf Lösche
Maik Morgenstern
Hendrik Pilz
Smart Home Definition and Security Threats
Michael Schiefer
10:00 - 11:00 Special session on teaching forensics and incident management
Christian Krätzer
Volker Krummel
Supporting Forensic Design - a Course Profile to Teach Forensics
Stefan Kiltz
Jana Dittmann
Claus Vielhauer
Conception of a Master Course for IT and Media Forensics Part II: Android Forensics
Knut Bellin
Reiner Creutzburg
11:00 - 11:30 Coffee Break
11:30 - 12:30 Special session on digitized forensics part 1
Claus Vielhauer
Mario Hildebrandt
Digitized Forensics Challenges: Crime Scene Traces - An Overview from the The DigiDak(+) Project
Claus Vielhauer
DigiDak(+) Results: From Fingerprints, Locksmith, Firearm and Fibre Traces to challenges in the digital forensic analysis
Jana Dittmann
Robert Fischer
12:30 - 13:30 Lunch Break
13:30 - 15:00 Special session on digitized forensics part 2
Claus Vielhauer
Mario Hildebrandt
Invited Talk:
Challenges from the signal processing domain
Sabah Jassim, University of Buckingham, UK
Special Session Panel: Crime Scene Investigations - Achievements and Practical and Future Challenges
Joanna Vella
Laboratory of Molecular Genetics, University of Malta

Sabah Jassim
University of Buckingham

Thomas Leich
Metop GmbH

Thomas Fries
Fries Research and Technology GmbH

Martin Schäler
Databases and Software Engineering Otto von Guericke University Mageburg
and other experts from the research field
Latent Fingerprint Aging from a Hyperspectral Perspective: First Qualitative Degradation Studies using UV/VIS Spectroscopy
Ronny Merkel
15:00 - 15:30 Coffee Break
15:30 - 15:40 Wrap up Day 2, Introduction Demonstrator and Center Tours
Stefan Kiltz
15:40 - 16:30 DigiDak(+) Demonstrator tour AMSL - Group 1
DigiDak(+) Demonstrator tour AMSL - Group 2
Ronny Merkel
Mario Hildebrandt
15:40 - 16:30 IKAM and AMSLator - Automotive Security Demo Tour
Robert Altschaffel
Sven Kuhlmann
15:40 - 16:30 Tour through the Otto von Guericke Center
local tour guide

Wednesday, May 20th, 2015 - WORKSHOP DAY

Time Presentation / Description Organisation
09:00 - 10:00 MicroSystemation Workshop - Challenges of securing mobile devices, gettin the data phones do not want to share - Part 1
Martin Westman (Micro Systemation)
10:00 - 10:30 Coffee Break
10:30 - 11:30 MicroSystemation Workshop - Challenges of securing mobile devices, gettin the data phones do not want to share - Part 2
Martin Westman (Micro Systemation)
11:30 - 12:30 Lunch Break
12:30 - 14:30 Excerpt from SANS FOR508.2 - Memory Forensics in Incident Response with Volatility - Part 1
Manuel Schönthaler (SANS Institut)
Matthias Fuchs (SANS Institut)
Please download the material from the downloads section ahead of attending the workshop
14:30 - 15:00 Coffee Break
15:00 - 17:00 Excerpt from SANS FOR508.2 - Memory Forensics in Incident Response with Volatility - Part 2
Manuel Schönthaler (SANS Institut)
Matthias Fuchs (SANS Institut)
Please download the material from the downloads section ahead of attending the workshop
17:00 Good Bye
Holger Morgenstern

Workshop Program

"Challenges of securing mobile devices, getting the data phone do not want to share" Martin Westman (MicroSystemation)

As the title implies, that we face harder and harder challenges of getting the data out of phones. The cat and mouse game we currently have in mobile forensics with using exploits and features in ways that apple, google and Microsoft have not intended for our use. As soon as a feature or exploit goes public, it gets patched or tweaked by the manufacturer and we have to find new ways. This is a constant forensics struggle and gets harder and harder.
The whatsapp part we will do a live demo and explain why we don't get any data out of android devices on a logical extraction anymore, but how you still can trick whatsapp to share chat data with us. After blown up in media, whatsapp have gone from no (or very little) efforts to obfuscate the personal chat data, to now be one of the most safest one among the widespread chat apps. So this will be a case study of the steps whatsapp have taken to protect its users personal data.
The "Lock features in android and how to bypass some of them" we will take a look on how to use different tools to access locked devices and see what can be done, and where we today have no suitable solutions. So using JTAG, ADB command and recovery images.
The last part "using python to visualize data from apps not supported by forensics tools" we will briefly look into the BIG challenges that lays ahead, supporting local popular apps that are not supported by the standard forensics tool. New apps pops up every day, and there is not possible for the forensics tools to keep up with app support on local level. Using python scripts to assist in supporting unsupported apps are crucial for solving the forensics challenges today and tomorrows on the app field.

"Excerpt from SANS FOR508.2 - Memory Forensics in Incident Response with Volatility" Mathias Fuchs (SANS)

Now a critical component of many incident response teams that detect advanced threats in their organization, memory forensics has come a long way in just a few years. It can be extraordinarily effective at finding evidence of worms, rootkits, and advanced malware used by an APT group of attackers.
Memory analysis traditionally was solely the domain of Windows internals experts, but the recent development of new tools makes it accessible today to anyone especially incident responders. Better interfaces, documentation, and built-in detection heuristics have greatly leveled the playing field.
This section will introduce volatility one of the best free tools available and give you a solid foundation in adding core and advanced memory forensic skills to your incident response and forensics capabilities.
Topics include:
  • Advanced Memory Analysis with Volatility
  • Code Injection, Malware, and Rootkit Hunting in Memory
  • Perform In-memory Windows Registry Examinations
  • Extract Typed Adversary Command Lines
  • Investigate Windows Services
  • Find and Dump Cached Files from RAM
  • Dumping Hashes and Credentials from Memory
  • Attention!: Additional material is required which will be provided to the participants ahead of the course.